1172310 – support Keystone LDAP

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1172310 - support Keystone LDAP

Summary: support Keystone LDAP

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-packstack
Sub Component:
Version:	trunk
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Ivan Chavero
QA Contact:	Shai Revivo
Docs Contact:
URL:
Whiteboard:
Depends On:	1082729 1187706 1205768 1205781 1205966
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-09 20:00 UTC by Rich Megginson
Modified:	2023-02-22 23:02 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	With this update, support for LDAP identity back ends for Keystone has been added. Several new parameters are now available: CONFIG_KEYSTONE_IDENTITY_BACKEND CONFIG_KEYSTONE_LDAP_URL CONFIG_KEYSTONE_LDAP_USER_DN CONFIG_KEYSTONE_LDAP_USER_PASSWORD CONFIG_KEYSTONE_LDAP_SUFFIX CONFIG_KEYSTONE_LDAP_QUERY_SCOPE CONFIG_KEYSTONE_LDAP_PAGE_SIZE CONFIG_KEYSTONE_LDAP_USER_SUBTREE CONFIG_KEYSTONE_LDAP_USER_FILTER CONFIG_KEYSTONE_LDAP_USER_OBJECTCLASS CONFIG_KEYSTONE_LDAP_USER_ID_ATTRIBUTE CONFIG_KEYSTONE_LDAP_USER_NAME_ATTRIBUTE CONFIG_KEYSTONE_LDAP_USER_MAIL_ATTRIBUTE CONFIG_KEYSTONE_LDAP_USER_ENABLED_ATTRIBUTE CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK CONFIG_KEYSTONE_LDAP_USER_ENABLED_DEFAULT CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT CONFIG_KEYSTONE_LDAP_USER_ATTRIBUTE_IGNORE CONFIG_KEYSTONE_LDAP_USER_DEFAULT_PROJECT_ID_ATTRIBUTE CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE CONFIG_KEYSTONE_LDAP_USER_PASS_ATTRIBUTE CONFIG_KEYSTONE_LDAP_USER_ENABLED_EMULATION_DN CONFIG_KEYSTONE_LDAP_USER_ADDITIONAL_ATTRIBUTE_MAPPING CONFIG_KEYSTONE_LDAP_GROUP_SUBTREE CONFIG_KEYSTONE_LDAP_GROUP_FILTER CONFIG_KEYSTONE_LDAP_GROUP_OBJECTCLASS CONFIG_KEYSTONE_LDAP_GROUP_ID_ATTRIBUTE CONFIG_KEYSTONE_LDAP_GROUP_NAME_ATTRIBUTE CONFIG_KEYSTONE_LDAP_GROUP_MEMBER_ATTRIBUTE CONFIG_KEYSTONE_LDAP_GROUP_DESC_ATTRIBUTE CONFIG_KEYSTONE_LDAP_GROUP_ATTRIBUTE_IGNORE CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE CONFIG_KEYSTONE_LDAP_GROUP_ADDITIONAL_ATTRIBUTE_MAPPING CONFIG_KEYSTONE_LDAP_USE_TLS CONFIG_KEYSTONE_LDAP_TLS_CACERTDIR CONFIG_KEYSTONE_LDAP_TLS_CACERTFILE CONFIG_KEYSTONE_LDAP_TLS_REQ_CERT
Clone Of:
Environment:
Last Closed:	2017-06-18 06:08:57 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1383793	None	None	None	Never
Launchpad	1391373	None	None	None	Never
OpenStack gerrit	129989	None	None	None	Never
OpenStack gerrit	159121	None	None	None	Never

Description Rich Megginson 2014-12-09 20:00:53 UTC

Description of problem:

Need to be able to use packstack to set up Keystone with LDAP identity backend.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Rich Megginson 2015-01-30 16:10:47 UTC

The bugs are fixed upstream in master.  For the puppet-keystone bug 1391373, the backport review to juno needs approval, and we need to get another openstack-puppet-modules build with this fix in it for RHOS6.  For the packstack bug 1383793, do we need to backport that fix to juno?

Comment 4 Rich Megginson 2015-02-27 17:21:48 UTC

This is fixed upstream - see https://bugzilla.redhat.com/show_bug.cgi?id=1082729

Can this bug be moved to POST?

Comment 6 Gaël Chamoulaud 2015-03-03 12:45:01 UTC

Fix merged in packstack/master:
- https://review.openstack.org/#/c/129989/

And this patch has been backported into Packstack/Juno:
- https://review.openstack.org/#/c/159121/

Comment 8 Mike Abrams 2015-03-15 11:18:30 UTC

from the code review in the reference bz, can you give a config snippet example of the following:

Each component that uses apache
must call "include packstack::apache_common".  This ensures that
a subsequent component manifest will not wipe out apache
configuration created by a previous component manifest or the initial
apache configuration created by prescript.pp.

please indicate parameters/examples for testing past this entry in the answer file:

[general]
CONFIG_KEYSTONE_SERVICE_NAME=httpd

Thanks.

Comment 9 Rich Megginson 2015-03-15 18:43:46 UTC

(In reply to Mike Abrams from comment #8)
> from the code review in the reference bz, can you give a config snippet
> example of the following:
> 
> Each component that uses apache
> must call "include packstack::apache_common".  This ensures that
> a subsequent component manifest will not wipe out apache
> configuration created by a previous component manifest or the initial
> apache configuration created by prescript.pp.
> 
> please indicate parameters/examples for testing past this entry in the
> answer file:
> 
> [general]
> CONFIG_KEYSTONE_SERVICE_NAME=httpd
> 
> Thanks.

The comment was really meant as a note to future packstack coders who write packstack puppet modules.  There really isn't anything you need to do when running packstack, no extra command line options or answer file directives.

If you wanted to see the examples in the actual puppet code:

https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/keystone.pp#L22

https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/horizon.pp#L1

https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/nagios_server.pp#L1

Comment 10 Mike Abrams 2015-03-16 09:06:01 UTC

PASSED.

---

added

[general]
CONFIG_KEYSTONE_SERVICE_NAME=httpd

to packstack answer file.

tested service with ps filtering for keystone (runs in httpd, not in keystone service)

tested functionality using keystone sanity.

Comment 12 Nathan Kinder 2015-04-01 03:25:32 UTC

This was not properly verified.  I think Rich's comment in comment#9 was misinterpreted as a description of how to verify this issue, when it was really just a response to the question in comment#9.

To test this, you need to set the CONFIG_KEYSTONE_LDAP_* options in a packstack answer file to allow packstack to configure Keystone to use an LDAP server.  The new settings are documented in comments if you have packstack generate an answerfile.  The concepts map directly to keystone LDAP configuration settings, so they should make sense to one familiar with configuring keystone for LDAP in previous releases.

Putting this back ON_QA so verification can be completed.

Comment 16 Lon Hohberger 2015-06-29 12:52:56 UTC

Still unstable upstream.

Comment 19 Ivan Chavero 2015-08-28 06:55:01 UTC

In read write setup, i don't get the problem. Can you confirm this?

Comment 21 Ivan Chavero 2015-10-08 14:48:43 UTC

right now: puppet-neutron and puppet-cinder don't support keystone v3, this has to be added to the modules for this bug to be fixed.

Comment 22 Rich Megginson 2015-10-13 14:02:25 UTC

(In reply to Ivan Chavero from comment #19)
> In read write setup, i don't get the problem. Can you confirm this?

Read-write setup is working for you?  That's good.  We also need read-only LDAP to work.

Comment 23 Rich Megginson 2015-10-13 14:03:04 UTC

(In reply to Ivan Chavero from comment #21)
> right now: puppet-neutron and puppet-cinder don't support keystone v3, this
> has to be added to the modules for this bug to be fixed.

I don't think it is necessary for all modules to support keystone v3 in order to support Keystone LDAP.

Comment 24 Nathan Kinder 2016-01-20 00:33:18 UTC

Clearing stale NEEDINFO flags.

Comment 26 Christopher Brown 2017-06-17 19:16:24 UTC

Packstack support v3 since a while back so this can be closed now.

Note You need to log in before you can comment on or make changes to this bug.